Add support for signing E-Mails and fixed tests.
This commit is contained in:
parent
63fb32eb40
commit
830a60b19f
@ -139,7 +139,7 @@ func (cms *CMS) Decrypt(contentInfo []byte) (plain []byte, err error) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Sign signs the data and returns returns DER-encoded ASN.1 ContentInfo.
|
// Sign signs the data and returns returns DER-encoded ASN.1 ContentInfo.
|
||||||
func (cms *CMS) Sign(data []byte) (der []byte, err error) {
|
func (cms *CMS) Sign(data []byte, detachedSignature ...bool) (der []byte, err error) {
|
||||||
|
|
||||||
enci, err := protocol.NewDataEncapsulatedContentInfo(data)
|
enci, err := protocol.NewDataEncapsulatedContentInfo(data)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
@ -162,6 +162,10 @@ func (cms *CMS) Sign(data []byte) (der []byte, err error) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if len(detachedSignature) > 0 && detachedSignature[0] {
|
||||||
|
sd.EncapContentInfo.EContent = nil
|
||||||
|
}
|
||||||
|
|
||||||
ci, err := sd.ContentInfo()
|
ci, err := sd.ContentInfo()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return
|
return
|
||||||
|
@ -104,7 +104,7 @@ func TestSignVerify(t *testing.T) {
|
|||||||
func TestEncryptOpenSSL(t *testing.T) {
|
func TestEncryptOpenSSL(t *testing.T) {
|
||||||
message := []byte("Hallo Welt!")
|
message := []byte("Hallo Welt!")
|
||||||
|
|
||||||
der, err := openssl.Encrypt(message, leaf.Certificate)
|
der, err := openssl.Encrypt(message, leaf.Certificate, "-outform", "DER")
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Error(err)
|
t.Error(err)
|
||||||
}
|
}
|
||||||
@ -129,7 +129,7 @@ func TestDecryptOpenSSL(t *testing.T) {
|
|||||||
t.Error(err)
|
t.Error(err)
|
||||||
}
|
}
|
||||||
|
|
||||||
plain, err := openssl.Decrypt(ciphertext, leaf.PrivateKey)
|
plain, err := openssl.Decrypt(ciphertext, leaf.PrivateKey, "-inform", "DER")
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Error(err)
|
t.Error(err)
|
||||||
}
|
}
|
||||||
@ -142,7 +142,7 @@ func TestDecryptOpenSSL(t *testing.T) {
|
|||||||
func TestSignOpenSSL(t *testing.T) {
|
func TestSignOpenSSL(t *testing.T) {
|
||||||
message := []byte("Hallo Welt")
|
message := []byte("Hallo Welt")
|
||||||
|
|
||||||
sig, err := openssl.SignDetached(message, leaf.Certificate, leaf.PrivateKey, intermediate.Certificate)
|
sig, err := openssl.SignDetached(message, leaf.Certificate, leaf.PrivateKey, []*x509.Certificate{intermediate.Certificate}, "-outform", "DER")
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Error(err)
|
t.Error(err)
|
||||||
}
|
}
|
||||||
@ -176,7 +176,7 @@ func TestVerifyOpenSSL(t *testing.T) {
|
|||||||
t.Error(err)
|
t.Error(err)
|
||||||
}
|
}
|
||||||
|
|
||||||
sig, err := openssl.Verify(der, root.Certificate)
|
sig, err := openssl.Verify(der, root.Certificate, "-inform", "DER")
|
||||||
if err != nil {
|
if err != nil {
|
||||||
t.Error(err)
|
t.Error(err)
|
||||||
}
|
}
|
||||||
|
100
mime/mime.go
100
mime/mime.go
@ -4,6 +4,7 @@ package mime
|
|||||||
|
|
||||||
import (
|
import (
|
||||||
"bytes"
|
"bytes"
|
||||||
|
"crypto/rand"
|
||||||
"errors"
|
"errors"
|
||||||
"fmt"
|
"fmt"
|
||||||
"strings"
|
"strings"
|
||||||
@ -35,13 +36,26 @@ func (m *MIME) Body() []byte {
|
|||||||
}
|
}
|
||||||
|
|
||||||
//Gets the full message
|
//Gets the full message
|
||||||
func (m *MIME) Full() []byte {
|
func (m *MIME) Full(sep ...[]byte) []byte {
|
||||||
|
|
||||||
var sep []byte
|
if len(sep) == 0 {
|
||||||
sep = append(sep, m.interm.Line...)
|
return m.FullLines().bytes(nil)
|
||||||
sep = append(sep, m.interm.endOfLine...)
|
}
|
||||||
|
|
||||||
return append(append(m.Header(), sep...), m.Body()...)
|
return m.FullLines().bytes(sep[0])
|
||||||
|
}
|
||||||
|
|
||||||
|
//Gets the full message as Lines
|
||||||
|
func (m *MIME) FullLines() (full Lines) {
|
||||||
|
|
||||||
|
full = append(full, m.headerFld...)
|
||||||
|
if m.interm.Line == nil && m.interm.endOfLine == nil {
|
||||||
|
m.interm = Line{nil, LF}
|
||||||
|
}
|
||||||
|
full = append(full, m.interm)
|
||||||
|
full = append(full, m.body...)
|
||||||
|
|
||||||
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
//Adds a header field to the header of the message
|
//Adds a header field to the header of the message
|
||||||
@ -62,11 +76,16 @@ func (m *MIME) AddHeaderField(key, value []byte) {
|
|||||||
//Removes a header fild from the header of the message
|
//Removes a header fild from the header of the message
|
||||||
func (m *MIME) DeleteHeaderField(key []byte) {
|
func (m *MIME) DeleteHeaderField(key []byte) {
|
||||||
|
|
||||||
for i := len(m.headerFld) - 1; i >= 0; i-- {
|
for i := 0; i < len(m.headerFld); i++ { //i := range m.headerFld {
|
||||||
colonInd := bytes.Index(m.headerFld[i].Line, []byte(":"))
|
keyAndField := bytes.SplitN(m.headerFld[i].Line, []byte(":"), 2)
|
||||||
k := m.headerFld[i].Line[:colonInd]
|
|
||||||
if bytes.Equal(bytes.ToLower(k), bytes.ToLower(key)) {
|
if len(keyAndField) == 2 && bytes.Equal(bytes.ToLower(keyAndField[0]), bytes.ToLower(key)) {
|
||||||
|
|
||||||
m.headerFld = append(m.headerFld[:i], m.headerFld[i+1:]...)
|
m.headerFld = append(m.headerFld[:i], m.headerFld[i+1:]...)
|
||||||
|
for i < len(m.headerFld) && isContinuedLine(m.headerFld[i].Line) {
|
||||||
|
m.headerFld = append(m.headerFld[:i], m.headerFld[i+1:]...)
|
||||||
|
}
|
||||||
|
i--
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -76,15 +95,18 @@ func (m *MIME) DeleteHeaderField(key []byte) {
|
|||||||
func (m *MIME) GetHeaderField(key []byte) (values [][]byte) {
|
func (m *MIME) GetHeaderField(key []byte) (values [][]byte) {
|
||||||
|
|
||||||
for i := range m.headerFld {
|
for i := range m.headerFld {
|
||||||
colonInd := bytes.Index(m.headerFld[i].Line, []byte(":"))
|
keyAndField := bytes.SplitN(m.headerFld[i].Line, []byte(":"), 2)
|
||||||
if colonInd < 1 {
|
|
||||||
fmt.Printf("%q\n", (m.headerFld[i].Line))
|
value := []byte{}
|
||||||
}
|
if len(keyAndField) == 2 && bytes.Equal(bytes.ToLower(keyAndField[0]), bytes.ToLower(key)) {
|
||||||
k := m.headerFld[i].Line[:colonInd]
|
|
||||||
if bytes.Equal(bytes.ToLower(k), bytes.ToLower(key)) {
|
value = append(value, keyAndField[1][1:]...)
|
||||||
if colonInd+2 < len(m.headerFld[i].Line) {
|
for k := 1; i+k < len(m.headerFld) && isContinuedLine(m.headerFld[i+k].Line); k++ {
|
||||||
values = append(values, m.headerFld[i].Line[colonInd+2:])
|
value = append(value, m.headerFld[i+k-1].endOfLine...)
|
||||||
|
value = append(value, m.headerFld[i+k].Line...)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
values = append(values, value)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -181,24 +203,9 @@ func Parse(raw []byte) (m MIME) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
func parseMIME(rawLines Lines) (m MIME) {
|
func parseMIME(rawLines Lines) (m MIME) {
|
||||||
var headerField Line
|
|
||||||
|
|
||||||
for i := range rawLines {
|
for i := range rawLines {
|
||||||
|
|
||||||
if len(rawLines[i].Line) > 0 && isContinuedLine(rawLines[i].Line) && i > 0 && !isEmpty(rawLines[i].Line) {
|
|
||||||
headerField.Line = append(headerField.Line, headerField.endOfLine...)
|
|
||||||
headerField.Line = append(headerField.Line, rawLines[i].Line...)
|
|
||||||
headerField.endOfLine = rawLines[i].endOfLine
|
|
||||||
} else {
|
|
||||||
|
|
||||||
if i > 0 {
|
|
||||||
m.headerFld = append(m.headerFld, headerField)
|
|
||||||
}
|
|
||||||
|
|
||||||
//Next headerField
|
|
||||||
headerField = rawLines[i]
|
|
||||||
}
|
|
||||||
|
|
||||||
// Empty line seprates header and body
|
// Empty line seprates header and body
|
||||||
if isEmpty(rawLines[i].Line) {
|
if isEmpty(rawLines[i].Line) {
|
||||||
m.interm = rawLines[i]
|
m.interm = rawLines[i]
|
||||||
@ -206,6 +213,8 @@ func parseMIME(rawLines Lines) (m MIME) {
|
|||||||
break
|
break
|
||||||
}
|
}
|
||||||
|
|
||||||
|
m.headerFld = append(m.headerFld, rawLines[i])
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
return
|
return
|
||||||
@ -241,7 +250,7 @@ func (l Lines) splitLine(sep []byte) (newL Lines) {
|
|||||||
for i := 0; i < len(split)-1; i++ {
|
for i := 0; i < len(split)-1; i++ {
|
||||||
newL = append(newL, Line{split[i], sep})
|
newL = append(newL, Line{split[i], sep})
|
||||||
}
|
}
|
||||||
newL = append(newL, Line{split[len(split)-1], nil})
|
newL = append(newL, Line{split[len(split)-1], line.endOfLine})
|
||||||
} else {
|
} else {
|
||||||
newL = append(newL, line)
|
newL = append(newL, line)
|
||||||
}
|
}
|
||||||
@ -284,3 +293,28 @@ func isContinuedLine(s []byte) bool {
|
|||||||
|
|
||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// SetMultipartBody makes a mulitpart messages with given parts and contentType
|
||||||
|
func (m *MIME) SetMultipartBody(contentType string, parts ...MIME) {
|
||||||
|
|
||||||
|
body := Lines{}
|
||||||
|
|
||||||
|
// Generate boundary
|
||||||
|
bndry := make([]byte, 30)
|
||||||
|
rand.Read(bndry)
|
||||||
|
boundary := fmt.Sprintf("%x", bndry)
|
||||||
|
|
||||||
|
// Fix header
|
||||||
|
m.DeleteHeaderField([]byte("Content-Disposition"))
|
||||||
|
m.DeleteHeaderField([]byte("Content-Transfer-Encoding"))
|
||||||
|
m.SetHeaderField([]byte("Content-Type"), []byte(contentType+"; boundary="+boundary))
|
||||||
|
|
||||||
|
for i := range parts {
|
||||||
|
body = append(body, Line{[]byte("\n--" + boundary), LF})
|
||||||
|
body = append(body, parts[i].FullLines()...)
|
||||||
|
}
|
||||||
|
|
||||||
|
body = append(body, Line{[]byte("--" + boundary + "--"), LF})
|
||||||
|
|
||||||
|
m.body = body
|
||||||
|
}
|
||||||
|
@ -14,33 +14,39 @@ import (
|
|||||||
)
|
)
|
||||||
|
|
||||||
//Encrypt a message with openssl
|
//Encrypt a message with openssl
|
||||||
func Encrypt(in []byte, cert *x509.Certificate) (der []byte, err error) {
|
func Encrypt(in []byte, cert *x509.Certificate, opts ...string) (der []byte, err error) {
|
||||||
|
|
||||||
tmp, err := ioutil.TempFile("", "example")
|
tmp, err := ioutil.TempFile("", "example")
|
||||||
defer os.Remove(tmp.Name())
|
defer os.Remove(tmp.Name())
|
||||||
|
|
||||||
pem.Encode(tmp, &pem.Block{Type: "CERTIFICATE", Bytes: cert.Raw})
|
pem.Encode(tmp, &pem.Block{Type: "CERTIFICATE", Bytes: cert.Raw})
|
||||||
|
|
||||||
der, err = openssl(in, "smime", "-outform", "DER", "-encrypt", "-aes128", tmp.Name())
|
param := []string{"smime", "-encrypt", "-aes128"}
|
||||||
|
param = append(param, opts...)
|
||||||
|
param = append(param, tmp.Name())
|
||||||
|
der, err = openssl(in, param...)
|
||||||
|
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
//Decrypt a message with openssl
|
//Decrypt a message with openssl
|
||||||
func Decrypt(in []byte, key crypto.PrivateKey) (plain []byte, err error) {
|
func Decrypt(in []byte, key crypto.PrivateKey, opts ...string) (plain []byte, err error) {
|
||||||
|
|
||||||
tmp, err := ioutil.TempFile("", "example")
|
tmp, err := ioutil.TempFile("", "example")
|
||||||
defer os.Remove(tmp.Name())
|
defer os.Remove(tmp.Name())
|
||||||
|
|
||||||
pem.Encode(tmp, &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(key.(*rsa.PrivateKey))})
|
pem.Encode(tmp, &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(key.(*rsa.PrivateKey))})
|
||||||
|
|
||||||
plain, err = openssl(in, "smime", "-inform", "DER", "-decrypt", "-inkey", tmp.Name())
|
param := []string{"smime", "-decrypt"}
|
||||||
|
param = append(param, opts...)
|
||||||
|
param = append(param, []string{"-decrypt", "-inkey", tmp.Name()}...)
|
||||||
|
plain, err = openssl(in, param...)
|
||||||
|
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
//Create a detached signature with openssl
|
//Create a detached signature with openssl
|
||||||
func SignDetached(in []byte, cert *x509.Certificate, key crypto.PrivateKey, interm ...*x509.Certificate) (plain []byte, err error) {
|
func SignDetached(in []byte, cert *x509.Certificate, key crypto.PrivateKey, interm []*x509.Certificate, opts ...string) (plain []byte, err error) {
|
||||||
|
|
||||||
tmpCert, err := ioutil.TempFile("", "example")
|
tmpCert, err := ioutil.TempFile("", "example")
|
||||||
defer os.Remove(tmpCert.Name())
|
defer os.Remove(tmpCert.Name())
|
||||||
@ -59,13 +65,16 @@ func SignDetached(in []byte, cert *x509.Certificate, key crypto.PrivateKey, inte
|
|||||||
pem.Encode(tmpInterm, &pem.Block{Type: "CERTIFICATE", Bytes: i.Raw})
|
pem.Encode(tmpInterm, &pem.Block{Type: "CERTIFICATE", Bytes: i.Raw})
|
||||||
}
|
}
|
||||||
|
|
||||||
plain, err = openssl(in, "smime", "-sign", "-nodetach", "-outform", "DER", "-signer", tmpCert.Name(), "-inkey", tmpKey.Name(), "-certfile", tmpInterm.Name())
|
param := []string{"smime", "-sign", "-nodetach"}
|
||||||
|
param = append(param, opts...)
|
||||||
|
param = append(param, []string{"-signer", tmpCert.Name(), "-inkey", tmpKey.Name(), "-certfile", tmpInterm.Name()}...)
|
||||||
|
plain, err = openssl(in, param...)
|
||||||
|
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
//Create a signature with openssl
|
//Create a signature with openssl
|
||||||
func Sign(in []byte, cert *x509.Certificate, key crypto.PrivateKey, interm ...*x509.Certificate) (plain []byte, err error) {
|
func Sign(in []byte, cert *x509.Certificate, key crypto.PrivateKey, interm []*x509.Certificate, opts ...string) (plain []byte, err error) {
|
||||||
|
|
||||||
tmpCert, err := ioutil.TempFile("", "example")
|
tmpCert, err := ioutil.TempFile("", "example")
|
||||||
defer os.Remove(tmpCert.Name())
|
defer os.Remove(tmpCert.Name())
|
||||||
@ -84,20 +93,26 @@ func Sign(in []byte, cert *x509.Certificate, key crypto.PrivateKey, interm ...*x
|
|||||||
pem.Encode(tmpInterm, &pem.Block{Type: "CERTIFICATE", Bytes: i.Raw})
|
pem.Encode(tmpInterm, &pem.Block{Type: "CERTIFICATE", Bytes: i.Raw})
|
||||||
}
|
}
|
||||||
|
|
||||||
plain, err = openssl(in, "smime", "-sign", "-outform", "DER", "-signer", tmpCert.Name(), "-inkey", tmpKey.Name(), "-certfile", tmpInterm.Name())
|
param := []string{"smime", "-sign"}
|
||||||
|
param = append(param, opts...)
|
||||||
|
param = append(param, []string{"-signer", tmpCert.Name(), "-inkey", tmpKey.Name(), "-certfile", tmpInterm.Name()}...)
|
||||||
|
plain, err = openssl(in, param...)
|
||||||
|
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
//Verify a signature with openssl
|
//Verify a signature with openssl
|
||||||
func Verify(in []byte, ca *x509.Certificate) (plain []byte, err error) {
|
func Verify(in []byte, ca *x509.Certificate, opts ...string) (plain []byte, err error) {
|
||||||
|
|
||||||
tmpCA, err := ioutil.TempFile("", "example")
|
tmpCA, err := ioutil.TempFile("", "example")
|
||||||
defer os.Remove(tmpCA.Name())
|
defer os.Remove(tmpCA.Name())
|
||||||
|
|
||||||
pem.Encode(tmpCA, &pem.Block{Type: "CERTIFICATE", Bytes: ca.Raw})
|
pem.Encode(tmpCA, &pem.Block{Type: "CERTIFICATE", Bytes: ca.Raw})
|
||||||
|
|
||||||
plain, err = openssl(in, "smime", "-verify", "-inform", "DER", "-CAfile", tmpCA.Name())
|
param := []string{"smime", "-verify"}
|
||||||
|
param = append(param, opts...)
|
||||||
|
param = append(param, []string{"-CAfile", tmpCA.Name()}...)
|
||||||
|
plain, err = openssl(in, param...)
|
||||||
|
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
@ -5,27 +5,25 @@ import (
|
|||||||
"crypto/x509/pkix"
|
"crypto/x509/pkix"
|
||||||
"testing"
|
"testing"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
pki "github.com/InfiniteLoopSpace/go_S-MIME/pki"
|
|
||||||
)
|
)
|
||||||
|
|
||||||
func TestCA(t *testing.T) {
|
func TestCA(t *testing.T) {
|
||||||
|
|
||||||
pki.DefaultProvince = []string{"CO"}
|
DefaultProvince = []string{"CO"}
|
||||||
pki.DefaultLocality = []string{"Denver"}
|
DefaultLocality = []string{"Denver"}
|
||||||
|
|
||||||
// Create a root CA.
|
// Create a root CA.
|
||||||
root := pki.New(pki.IsCA, pki.Subject(pkix.Name{
|
root := New(IsCA, Subject(pkix.Name{
|
||||||
CommonName: "root.myorg.com",
|
CommonName: "root.myorg.com",
|
||||||
}))
|
}))
|
||||||
|
|
||||||
// Create an intermediate CA under the root.
|
// Create an intermediate CA under the root.
|
||||||
intermediate := root.Issue(pki.IsCA, pki.Subject(pkix.Name{
|
intermediate := root.Issue(IsCA, Subject(pkix.Name{
|
||||||
CommonName: "intermediate.myorg.com",
|
CommonName: "intermediate.myorg.com",
|
||||||
}))
|
}))
|
||||||
|
|
||||||
// Create a leaf certificate under the intermediate.
|
// Create a leaf certificate under the intermediate.
|
||||||
leaf := intermediate.Issue(pki.Subject(pkix.Name{
|
leaf := intermediate.Issue(Subject(pkix.Name{
|
||||||
CommonName: "leaf.myorg.com",
|
CommonName: "leaf.myorg.com",
|
||||||
}))
|
}))
|
||||||
|
|
||||||
|
@ -8,6 +8,7 @@ import (
|
|||||||
"crypto/x509"
|
"crypto/x509"
|
||||||
"encoding/base64"
|
"encoding/base64"
|
||||||
"errors"
|
"errors"
|
||||||
|
"log"
|
||||||
"strings"
|
"strings"
|
||||||
|
|
||||||
"github.com/InfiniteLoopSpace/go_S-MIME/b64"
|
"github.com/InfiniteLoopSpace/go_S-MIME/b64"
|
||||||
@ -42,8 +43,11 @@ func (smime *SMIME) Decrypt(msg []byte) (plaintext []byte, err error) {
|
|||||||
mediaType, params, err := mail.ParseMediaType()
|
mediaType, params, err := mail.ParseMediaType()
|
||||||
|
|
||||||
if !strings.HasPrefix(mediaType, "application/pkcs7-mime") {
|
if !strings.HasPrefix(mediaType, "application/pkcs7-mime") {
|
||||||
err = errors.New("Unsupported media type: Can not decrypt this mail")
|
if !strings.HasPrefix(mediaType, "application/x-pkcs7-mime") {
|
||||||
return
|
err = errors.New("Unsupported media type: Can not decrypt this mail")
|
||||||
|
return
|
||||||
|
}
|
||||||
|
log.Println("Found Content-Type \"application/x-pkcs7-mime\" used early implementations of S/MIME agents")
|
||||||
}
|
}
|
||||||
|
|
||||||
if !strings.HasPrefix(params["smime-type"], "enveloped-data") {
|
if !strings.HasPrefix(params["smime-type"], "enveloped-data") {
|
||||||
@ -147,13 +151,16 @@ func (smime *SMIME) Verify(msg []byte) (chains [][][]*x509.Certificate, err erro
|
|||||||
mediaType, params, err := mail.ParseMediaType()
|
mediaType, params, err := mail.ParseMediaType()
|
||||||
|
|
||||||
if !strings.HasPrefix(mediaType, "multipart/signed") {
|
if !strings.HasPrefix(mediaType, "multipart/signed") {
|
||||||
err = errors.New("Unsupported media type: can not decrypt this mail")
|
err = errors.New("Unsupported media type: can not verify the signature")
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
if !strings.HasPrefix(params["protocol"], "application/pkcs7-signature") {
|
if !strings.HasPrefix(params["protocol"], "application/pkcs7-signature") {
|
||||||
err = errors.New("Unsupported smime type: can not decrypt this mail")
|
if !strings.HasPrefix(params["protocol"], "application/x-pkcs7-signature") {
|
||||||
return
|
err = errors.New("Unsupported smime type: can not verify the signature")
|
||||||
|
return
|
||||||
|
}
|
||||||
|
log.Println("Found Content-Type \"application/x-pkcs7-signature\" used early implementations of S/MIME agents")
|
||||||
}
|
}
|
||||||
|
|
||||||
parts, err := mail.MultipartGetParts()
|
parts, err := mail.MultipartGetParts()
|
||||||
@ -170,8 +177,11 @@ func (smime *SMIME) Verify(msg []byte) (chains [][][]*x509.Certificate, err erro
|
|||||||
mediaType, params, err = signature.ParseMediaType()
|
mediaType, params, err = signature.ParseMediaType()
|
||||||
|
|
||||||
if !strings.HasPrefix(mediaType, "application/pkcs7-signature") {
|
if !strings.HasPrefix(mediaType, "application/pkcs7-signature") {
|
||||||
err = errors.New("Unsupported media type: Can not decrypt this mail")
|
if !strings.HasPrefix(mediaType, "application/x-pkcs7-signature") {
|
||||||
return
|
err = errors.New("Unsupported media type: Can not decrypt this mail")
|
||||||
|
return
|
||||||
|
}
|
||||||
|
log.Println("Found Content-Type \"application/x-pkcs7-signature\" used early implementations of S/MIME agents")
|
||||||
}
|
}
|
||||||
|
|
||||||
contentTransferEncoding := signature.GetHeaderField([]byte("Content-Transfer-Encoding"))
|
contentTransferEncoding := signature.GetHeaderField([]byte("Content-Transfer-Encoding"))
|
||||||
@ -198,3 +208,52 @@ func (smime *SMIME) Verify(msg []byte) (chains [][][]*x509.Certificate, err erro
|
|||||||
|
|
||||||
return smime.CMS.VerifyDetached(signatureDer, signedMsg)
|
return smime.CMS.VerifyDetached(signatureDer, signedMsg)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Sign signs a mail and returns the signed message.
|
||||||
|
func (smime *SMIME) Sign(msg []byte) (signedMsg []byte, err error) {
|
||||||
|
|
||||||
|
mail := mime.Parse(msg)
|
||||||
|
|
||||||
|
// Prepare the signed Part
|
||||||
|
signedPart := mime.MIME{}
|
||||||
|
signedPart.SetBody(mail.Body())
|
||||||
|
contentType := mail.GetHeaderField([]byte("Content-Type"))
|
||||||
|
if len(contentType) != 1 {
|
||||||
|
err = errors.New("Message has no Content-Type")
|
||||||
|
return
|
||||||
|
}
|
||||||
|
signedPart.SetHeaderField([]byte("Content-Type"), contentType[0])
|
||||||
|
contentTransferEncoding := mail.GetHeaderField([]byte("Content-Transfer-Encoding"))
|
||||||
|
if len(contentType) == 1 {
|
||||||
|
signedPart.SetHeaderField([]byte("Content-Transfer-Encoding"), contentTransferEncoding[0])
|
||||||
|
}
|
||||||
|
contentDisposition := mail.GetHeaderField([]byte("Content-Disposition"))
|
||||||
|
if len(contentType) == 1 {
|
||||||
|
signedPart.SetHeaderField([]byte("Content-Disposition"), contentDisposition[0])
|
||||||
|
}
|
||||||
|
|
||||||
|
// Sign
|
||||||
|
lines := mime.ParseLines(signedPart.Full())
|
||||||
|
signatureDER, err := smime.CMS.Sign(lines.Bytes(mime.CRLF), true)
|
||||||
|
|
||||||
|
// Encode signature
|
||||||
|
|
||||||
|
signature := mime.MIME{}
|
||||||
|
signature.SetHeaderField([]byte("Content-Type"), []byte("application/pkcs7-signature; name=smime.p7s"))
|
||||||
|
signature.SetHeaderField([]byte("Content-Transfer-Encoding"), []byte("base64"))
|
||||||
|
signature.SetHeaderField([]byte("Content-Disposition"), []byte("attachment; filename=smime.p7s"))
|
||||||
|
signatureBASE64, err := b64.EncodeBase64(signatureDER)
|
||||||
|
if err != nil {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
signature.SetBody(signatureBASE64)
|
||||||
|
|
||||||
|
// Make multipart/signed message
|
||||||
|
micAlg := "sha256"
|
||||||
|
cntType := "multipart/signed;\n protocol=\"application/pkcs7-signature\";\n micalg=" + micAlg
|
||||||
|
|
||||||
|
mail.SetMultipartBody(cntType, signedPart, signature)
|
||||||
|
|
||||||
|
signedMsg = mail.Full()
|
||||||
|
return
|
||||||
|
}
|
||||||
|
@ -2,10 +2,166 @@ package smime
|
|||||||
|
|
||||||
import (
|
import (
|
||||||
"bytes"
|
"bytes"
|
||||||
|
"crypto"
|
||||||
"crypto/tls"
|
"crypto/tls"
|
||||||
|
"crypto/x509"
|
||||||
|
"crypto/x509/pkix"
|
||||||
|
"fmt"
|
||||||
|
"log"
|
||||||
"testing"
|
"testing"
|
||||||
|
|
||||||
|
"github.com/InfiniteLoopSpace/go_S-MIME/openssl"
|
||||||
|
"github.com/InfiniteLoopSpace/go_S-MIME/pki"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
var (
|
||||||
|
root = pki.New(pki.IsCA, pki.Subject(pkix.Name{
|
||||||
|
CommonName: "root.example.com",
|
||||||
|
}))
|
||||||
|
|
||||||
|
intermediate = root.Issue(pki.IsCA, pki.Subject(pkix.Name{
|
||||||
|
CommonName: "intermediate.example.com",
|
||||||
|
}))
|
||||||
|
|
||||||
|
leaf = intermediate.Issue(pki.Subject(pkix.Name{
|
||||||
|
CommonName: "leaf.example.com",
|
||||||
|
}))
|
||||||
|
|
||||||
|
keyPair = tls.Certificate{
|
||||||
|
Certificate: [][]byte{leaf.Certificate.Raw, intermediate.Certificate.Raw, root.Certificate.Raw},
|
||||||
|
PrivateKey: leaf.PrivateKey.(crypto.PrivateKey),
|
||||||
|
}
|
||||||
|
)
|
||||||
|
|
||||||
|
func TestEnryptDecrypt(t *testing.T) {
|
||||||
|
|
||||||
|
SMIME, err := New(keyPair)
|
||||||
|
if err != nil {
|
||||||
|
t.Error(err)
|
||||||
|
}
|
||||||
|
|
||||||
|
plaintext := []byte(msg)
|
||||||
|
|
||||||
|
ciphertext, err := SMIME.Encrypt(plaintext, []*x509.Certificate{leaf.Certificate})
|
||||||
|
if err != nil {
|
||||||
|
t.Error(err)
|
||||||
|
}
|
||||||
|
fmt.Printf("%s\n", ciphertext)
|
||||||
|
|
||||||
|
plain, err := SMIME.Decrypt(ciphertext)
|
||||||
|
if err != nil {
|
||||||
|
log.Fatal(err)
|
||||||
|
}
|
||||||
|
|
||||||
|
if !bytes.Equal(plaintext, plain) {
|
||||||
|
t.Fatal("Encryption and decryption are not inverse")
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestSignVerify(t *testing.T) {
|
||||||
|
SMIME, err := New(keyPair)
|
||||||
|
if err != nil {
|
||||||
|
t.Error(err)
|
||||||
|
}
|
||||||
|
|
||||||
|
SMIME.CMS.Opts.Roots.AddCert(root.Certificate)
|
||||||
|
|
||||||
|
msg := []byte(msg)
|
||||||
|
|
||||||
|
der, err := SMIME.Sign(msg)
|
||||||
|
if err != nil {
|
||||||
|
t.Error(err)
|
||||||
|
}
|
||||||
|
|
||||||
|
_, err = SMIME.Verify(der)
|
||||||
|
if err != nil {
|
||||||
|
t.Error(err)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestEncryptOpenSSL(t *testing.T) {
|
||||||
|
message := []byte("Hallo Welt!")
|
||||||
|
|
||||||
|
der, err := openssl.Encrypt(message, leaf.Certificate)
|
||||||
|
if err != nil {
|
||||||
|
t.Error(err)
|
||||||
|
}
|
||||||
|
|
||||||
|
SMIME, err := New(keyPair)
|
||||||
|
plain, err := SMIME.Decrypt(der)
|
||||||
|
if err != nil {
|
||||||
|
t.Error(err)
|
||||||
|
}
|
||||||
|
|
||||||
|
if !bytes.Equal(message, plain) {
|
||||||
|
t.Fatal("Encryption and decryption are not inverse")
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestDecryptOpenSSL(t *testing.T) {
|
||||||
|
message := []byte(msg)
|
||||||
|
|
||||||
|
SMIME, _ := New()
|
||||||
|
ciphertext, err := SMIME.Encrypt(message, []*x509.Certificate{leaf.Certificate})
|
||||||
|
if err != nil {
|
||||||
|
t.Error(err)
|
||||||
|
}
|
||||||
|
|
||||||
|
plain, err := openssl.Decrypt(ciphertext, leaf.PrivateKey)
|
||||||
|
if err != nil {
|
||||||
|
t.Error(err)
|
||||||
|
}
|
||||||
|
|
||||||
|
if !bytes.Equal(message, plain) {
|
||||||
|
t.Fatal("Encryption and decryption are not inverse")
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestSignOpenSSL(t *testing.T) {
|
||||||
|
message := []byte(msg)
|
||||||
|
|
||||||
|
sig, err := openssl.Sign(message, leaf.Certificate, leaf.PrivateKey, []*x509.Certificate{intermediate.Certificate})
|
||||||
|
if err != nil {
|
||||||
|
t.Error(err)
|
||||||
|
}
|
||||||
|
|
||||||
|
SMIME, err := New()
|
||||||
|
if err != nil {
|
||||||
|
t.Error(err)
|
||||||
|
}
|
||||||
|
SMIME.CMS.Opts.Roots.AddCert(root.Certificate)
|
||||||
|
|
||||||
|
_, err = SMIME.Verify(sig)
|
||||||
|
if err != nil {
|
||||||
|
t.Error(err)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestVerifyOpenSSL(t *testing.T) {
|
||||||
|
SMIME, err := New(keyPair)
|
||||||
|
if err != nil {
|
||||||
|
t.Error(err)
|
||||||
|
}
|
||||||
|
|
||||||
|
SMIME.CMS.Opts.Roots.AddCert(root.Certificate)
|
||||||
|
|
||||||
|
msg := []byte(msg)
|
||||||
|
|
||||||
|
der, err := SMIME.Sign(msg)
|
||||||
|
if err != nil {
|
||||||
|
t.Error(err)
|
||||||
|
}
|
||||||
|
|
||||||
|
sig, err := openssl.Verify(der, root.Certificate)
|
||||||
|
if err != nil {
|
||||||
|
t.Error(err)
|
||||||
|
}
|
||||||
|
|
||||||
|
if !bytes.Contains(msg, bytes.Replace(sig, []byte("\r"), nil, -1)) {
|
||||||
|
t.Fatal("Signed message and message do not agree!")
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
func TestDecrypt(t *testing.T) {
|
func TestDecrypt(t *testing.T) {
|
||||||
cert, err := tls.X509KeyPair([]byte(bobCert), []byte(bobRSAkey))
|
cert, err := tls.X509KeyPair([]byte(bobCert), []byte(bobRSAkey))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
Loading…
Reference in New Issue
Block a user